8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Copyright (c) 2005 Sun Microsystems Inc. All Rights Reserved
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The contents of this file are subject to the terms
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * of the Common Development and Distribution License
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * (the License). You may not use this file except in
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * compliance with the License.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * You can obtain a copy of the License at
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * See the License for the specific language governing
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * permission and limitations under the License.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * When distributing Covered Code, include this CDDL
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Header Notice in each file and include the License file
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * If applicable, add the following below the CDDL Header,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * with the fields enclosed by brackets [] replaced by
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * your own identifying information:
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * $Id: AuthContext.java,v 1.25 2009/11/21 01:12:59 qcheng Exp $
42a452a9f1193f232b34e7c22706b8fe44207d3dPhill Cunnington * Portions Copyrighted 2010-2015 ForgeRock AS.
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshottimport com.iplanet.dpro.session.service.SessionService;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.iplanet.services.comm.client.PLLClient;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.iplanet.services.comm.share.RequestSet;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.iplanet.services.comm.share.Response;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.iplanet.services.naming.WebtopNaming;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.authentication.client.AuthClientUtils;
2be91e1dc30415725e38dc015cda79cb41c5d4a5Phill Cunningtonimport com.sun.identity.authentication.server.AuthContextLocal;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.authentication.service.AMAuthErrorCode;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.authentication.service.AuthException;
a393c458f24ae38c8259dea2245aa436abe248f9Phill Cunningtonimport com.sun.identity.authentication.service.LoginState;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.authentication.share.AuthXMLTags;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.authentication.share.AuthXMLUtils;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.authentication.spi.AuthLoginException;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.authentication.util.ISAuthConstants;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.security.AMSecurityPropertiesException;
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshottimport com.sun.identity.security.AdminTokenAction;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.shared.locale.L10NMessageImpl;
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshottimport org.forgerock.guice.core.InjectorHolder;
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshottimport org.forgerock.openam.authentication.service.protocol.RemoteHttpServletRequest;
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshottimport org.forgerock.openam.authentication.service.protocol.RemoteHttpServletResponse;
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshottimport org.forgerock.openam.session.SessionCache;
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshottimport javax.security.auth.callback.Callback;
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshottimport javax.servlet.http.HttpServletRequest;
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshottimport javax.servlet.http.HttpServletResponse;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The <code>AuthContext</code> provides the implementation for
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * authenticating users.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * A typical caller instantiates this class and starts the login process.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The caller then obtains an array of <code>Callback</code> objects,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * which contains the information required by the authentication plug-in
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * module. The caller requests information from the user. On receiving
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the information from the user, the caller submits the same to this class.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * While more information is required, the above process continues until all
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the information required by the plug-ins/authentication modules, has
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * been supplied. The caller then checks if the user has successfully
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * been authenticated. If successfully authenticated, the caller can
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * then get the <code>Subject</code> and <code>SSOToken</code> for the user;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * if not successfully authenticated, the caller obtains the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>AuthLoginException</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The implementation supports authenticating users either locally
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * i.e., in process with all authentication modules configured or remotely
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * to an authentication service/framework. (See documentation to configure
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * in either of the modes).
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterpublic class AuthContext extends Object implements java.io.Serializable {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster SystemProperties.get(Constants.AM_SERVER_PROTOCOL);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster SystemProperties.get(Constants.AM_SERVER_HOST);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster SystemProperties.get(Constants.AM_SERVER_PORT);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster SystemProperties.get(Constants.AM_SERVICES_DEPLOYMENT_DESCRIPTOR);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster SystemProperties.getAsBoolean(Constants.REMOTEAUTH_INCLUDE_REQRES);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static final String amAuthContext = "amAuthContext";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static final String JSS_PASSWORD_UTIL =
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "com.sun.identity.authentication.util.JSSPasswordUtil";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static final String JSSE_PASSWORD_CALLBACK =
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "com.sun.identity.security.keystore.AMCallbackHandler";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster System.getProperty(Constants.PROTOCOL_HANDLER, Constants.JSSE_HANDLER);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Debug & I18N class
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster protected static Debug authDebug = Debug.getInstance(amAuthContext);
41202e15f589286770cacca433bbee5df379d00bAllan Foster com.sun.identity.shared.locale.Locale.getInstallResourceBundle(amAuthContext);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster com.sun.identity.authentication.server.AuthContextLocal acLocal = null;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private final static int DEFAULT_RETRY_COUNT = 1;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private int retryRunLogin = DEFAULT_RETRY_COUNT;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Variables for checking auth service is running local
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Variables for local AuthService identifier
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Variable to check if 6.3 style remote AuthN has to be performed
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster static boolean useOldStyleRemoteAuthentication;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster static boolean useNewStyleRemoteAuthentication;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // this cookieTable is used to keep all the cookies retrieved from the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // the PLL layer and replay them in subsequent auth requests, mainly for
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // persistence purpose.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private HttpServletRequest remoteRequest = null;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private HttpServletResponse remoteResponse = null;
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott private final SessionCache sessionCache = SessionCache.getInstance();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Constructs an instance of <code>AuthContext</code> for a given
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * organization name or sub organization name. This organization or
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * sub-organization name must be either "/" separated
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * ( where it starts with "/" ) , DN , Domain name or DNS Alias Name.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Caller would then use <code>login</code> to start the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * authentication process and use <code>getRequirements()</code> and
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>submitRequirements()</code> to pass the credentials
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * needed for authentication by the plugin authentication modules.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The method <code>getStatus()</code> returns the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * authentication status.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param orgName Name of the user's organization.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws AuthLoginException if <code>AuthContext</code> creation fails.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This exception is kept for backward compatibility only.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public AuthContext(String orgName) throws AuthLoginException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Constructs an instance of <code>AuthContext</code> for a given
8d3140b524c0e28c0a49dc7c7d481123ef3cfe11Chris Lee * organization name, or sub organization name and the OpenAM server
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This organization or sub-organization name must be either "/" separated
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * ( where it starts with "/" ) , DN , Domain name or DNS Alias Name.
8d3140b524c0e28c0a49dc7c7d481123ef3cfe11Chris Lee * And the <code>url</code> should specify the OpenAM server's protocol,
8d3140b524c0e28c0a49dc7c7d481123ef3cfe11Chris Lee * host name, and port number,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * for example : <code>http://daye.red.iplanet.com:58080</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Caller would then use <code>login</code> to start the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * authentication process and use <code>getRequirements()</code> and
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>submitRequirements()</code> to pass the credentials
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * needed for authentication by the plugin authentication modules.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The method <code>getStatus()</code> returns the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * authentication status.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param orgName name of the user's organization
8d3140b524c0e28c0a49dc7c7d481123ef3cfe11Chris Lee * @param url URL of the OpenAm instance to talk to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws AuthLoginException if <code>AuthContext</code> creation fails.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This exception is kept for backward compatibility only.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public AuthContext(String orgName, URL url) throws AuthLoginException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Constructs an instance of <code>AuthContext</code> for a given
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * organization name, or sub organization name and a nick name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * for the certificate to be used in SSL handshake if client authentication
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * is turn on in the server side.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This organization or sub-organization name must be either "/" separated
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * ( where it starts with "/" ) , DN , Domain name or DNS Alias Name.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This constructor would be mainly used for the Certificate based
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * authentication. If the certificate database contains multiple matching
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * certificates for SSL, this constructor must be called in order for the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * desired certificate to be used for the Certificate based authentication.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Caller would then use <code>login</code> to start the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * authentication process and use <code>getRequirements()</code> and
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>submitRequirements()</code> to pass the credentials
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * needed for authentication by the plugin authentication modules.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The method <code>getStatus()</code> returns the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * authentication status.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param orgName name of the user's organization
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param nickName nick name for the certificate to be used
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws AuthLoginException if <code>AuthContext</code> creation fails.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This exception is kept for backward compatibility only.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public AuthContext(String orgName, String nickName)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Constructs an instance of <code>AuthContext</code> for a given
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * organization name, or sub organization name, a nick name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * for the certificate to be used in SSL handshake if client authentication
8d3140b524c0e28c0a49dc7c7d481123ef3cfe11Chris Lee * is enabled on the server side and the OpenAM URL.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This organization or sub-organization name must be either "/" separated
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * ( where it starts with "/" ) , DN , Domain name or a DNS Alias Name.
8d3140b524c0e28c0a49dc7c7d481123ef3cfe11Chris Lee * And the <code>url</code> should specify the OpenAM server's protocol,
8d3140b524c0e28c0a49dc7c7d481123ef3cfe11Chris Lee * host name, and port number,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * for example : <code>http://daye.red.iplanet.com:58080</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This constructor would be mainly used for the Certificate based
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * authentication. If the certificate database contains multiple matching
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * certificates for SSL, this constructor must be called in order for the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * desired certificate to be used for the Certificate based authentication.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Caller would then use <code>login</code> to start the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * authentication process and use <code>getRequirements()</code> and
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>submitRequirements()</code> to pass the credentials
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * needed for authentication by the plugin authentication modules.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The method <code>getStatus()</code> returns the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * authentication status.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param orgName name of the user's organization
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param nickName nick name for the certificate to be used
8d3140b524c0e28c0a49dc7c7d481123ef3cfe11Chris Lee * @param url URL of the OpenAM server to talk to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws AuthLoginException if <code>AuthContext</code> creation fails.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This exception is kept for backward compatibility only.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public AuthContext(String orgName, String nickName, URL url)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Constructs an instance of <code>AuthContext</code> for a given
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * organization name, or sub organization name contained in the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * single sign on token.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This constructor should be called for re-authentication of an
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * authenticated user. single sign on token is the authenticated resource's
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Single-Sign-On Token. If the session properties based on
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the login method used matches those in the user's new
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * authenticated session then session upgrade will be done.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * A new session containing properties from both old single sign on token
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * and new session shall be returned and old session will be
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * destroyed if authentication passes.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Caller would then use <code>login</code> to start the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * authentication process and use <code>getRequirements()</code> and
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>submitRequirements()</code> to pass the credentials
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * needed for authentication by the plugin authentication modules.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The method <code>getStatus()</code> returns the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * authentication status.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param ssoToken single sign on token representing the resource's previous
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * authenticated session.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws AuthLoginException if <code>AuthContext</code> creation fails.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This exception is kept for backward compatibility only.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public AuthContext(SSOToken ssoToken) throws AuthLoginException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Constructs an instance of <code>AuthContext</code> for a given
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * organization name, or sub organization name contained in the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * single sign on token.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This constructor should be called for re-authentication of an
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * authenticated user. single sign on token is the authenticated resource's
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Single-Sign-On Token. If the session properties based on
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the login method used matches those in the user's new
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * authenticated session then session upgrade will be done.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * If forceAuth flag is <code>true</code> then the existing session
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * is used and no new session is created otherwise this constructor
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * behaves same as the constructor with no forceAuth flag.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Caller would then use <code>login</code> to start the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * authentication process and use <code>getRequirements()</code> and
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>submitRequirements()</code> to pass the credentials
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * needed for authentication by the plugin authentication modules.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The method <code>getStatus()</code> returns the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * authentication status.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param ssoToken single sign on token representing the resource's
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * previous authenticated session.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param forceAuth indicates that authentication preocess has to be
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * restarted and given single sign on token will be used and new
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * session will not be created.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws AuthLoginException if <code>AuthContext</code> creation fails.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This exception is kept for backward compatibility only.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public AuthContext(SSOToken ssoToken, boolean forceAuth) throws
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Starts the login process for the given <code>AuthContext</code> object.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception AuthLoginException if an error occurred during login.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void login() throws AuthLoginException {
a393c458f24ae38c8259dea2245aa436abe248f9Phill Cunnington * Starts the login process for the given <code>AuthContext</code> object.
a393c458f24ae38c8259dea2245aa436abe248f9Phill Cunnington * @param request The HttpServletRequest that was sent to start the authentication process.
a393c458f24ae38c8259dea2245aa436abe248f9Phill Cunnington * @param response The corresponding HttpServletResponse for the HttpServletRequest.
a393c458f24ae38c8259dea2245aa436abe248f9Phill Cunnington * @throws AuthLoginException If an error occurred during login.
a393c458f24ae38c8259dea2245aa436abe248f9Phill Cunnington * @supported.api
a393c458f24ae38c8259dea2245aa436abe248f9Phill Cunnington public void login(HttpServletRequest request, HttpServletResponse response) throws AuthLoginException {
a393c458f24ae38c8259dea2245aa436abe248f9Phill Cunnington login(null, null, null, null, request, response);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Starts the login process for the given <code>AuthContext</code> object
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * identified by the index type and index name. The <code>IndexType</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * defines the possible kinds of "objects" or "resources" for which an
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * authentication can be performed. Currently supported index types are
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * users, roles, services (or application), levels, resources and
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param type Authentication index type.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param indexName Authentication index name.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception AuthLoginException if an error occurred during login.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void login(IndexType type, String indexName)
42a452a9f1193f232b34e7c22706b8fe44207d3dPhill Cunnington login(type, indexName, null, null, null, null);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Starts the login process for the given <code>AuthContext</code> object
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * identified by the index type and index name.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The <code>IndexType</code> defines the possible kinds of "objects"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * or "resources" for which an authentication can
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * be performed. Currently supported index types are
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * users, roles, services (or application), levels, resources and mechanism.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * It allows the caller to pass in the desired locale for this request.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param type authentication index type
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param indexName authentication index name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param locale locale setting
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception AuthLoginException if an error occurred during login
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void login(IndexType type, String indexName, String locale)
42a452a9f1193f232b34e7c22706b8fe44207d3dPhill Cunnington login(type, indexName, null, null, locale);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Starts the login process for the given <code>AuthContext</code> object
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * identified by the index type and index name and also completes
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the login process by submitting the given User credentials
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * in the form of Callbacks.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The <code>IndexType</code> defines the possible kinds of "objects"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * or "resources" for which an authentication can
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * be performed. Currently supported index types are
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * users, roles, services (or application), levels, resources and mechanism.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * NOTE : This is a simplified wrapper method to eliminate multi-step calls
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * to 'login' and submit credentials. This method is useful and will work
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * only for those authentication modules which require only one set of
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * callbacks or one page. This method can not be used to authenticate to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * authentication modules which require user interaction or multiple pages.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param type Authentication index type.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param indexName Authentication index name.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param userInfo User information/credentials in the form of array of
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>Callback</code> objects. The <code>Callback</code> objects
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * array must be in the same order as defined in the authentication
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * module properties file, otherwise authentication module code will
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return single-sign-on token for the valid user after successful
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * authentication.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception AuthLoginException if an error occurred during login.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public SSOToken login(IndexType type, String indexName, Callback[] userInfo)
42a452a9f1193f232b34e7c22706b8fe44207d3dPhill Cunnington login(type, indexName, null, null, null, null);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "Error: submitRequirements with userInfo : "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (getStatus() == AuthContext.Status.SUCCESS) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authDebug.message("Error: getSSOToken : " + e.getMessage());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Starts the login process for the given <code>AuthContext</code> object
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * identified by the index type and index name with default parameters.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The <code>IndexType</code> defines the possible kinds of "objects"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * or "resources" for which an authentication can be performed. Currently
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * supported index types are users, roles, services (or application),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * levels, resources and mechanism/authentication modules.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param indexType authentication index type.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param indexName authentication index name.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param params contains the default values for the callbacks. The order
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * of this array matches the callbacks order for this login process.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * value for the <code>PasswordCallback</code> is also in String
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * format, it will be converted to <code>char[]</code> when it is
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * set to the callback. Internal processing for this string array
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * uses <code>|</code> as separator. Hence <code>|</code> should not
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * be used in these default values. Currently only
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>NameCallback</code> and <code>PasswordCallback</code> are
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * supported.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception AuthLoginException if an error occurred during login.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void login(IndexType indexType, String indexName, String[] params)
42a452a9f1193f232b34e7c22706b8fe44207d3dPhill Cunnington login(indexType, indexName, params, null, null, null);
42a452a9f1193f232b34e7c22706b8fe44207d3dPhill Cunnington login(indexType, indexName, params, null, request, response);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Starts the login process for the given <code>AuthContext</code> object
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * identified by the index type and index name with certain parameters
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * and environment map.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The <code>IndexType</code> defines the possible kinds of "objects"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * or "resources" for which an authentication can be performed. Currently
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * supported index types are users, roles, services (or application),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * levels, modules and resources.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param indexType authentication index type.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param indexName authentication index name.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param params contains the default values for the callbacks. The order
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * of this array matches the callbacks order for this login process.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * value for the <code>PasswordCallback</code> is also in String
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * format, it will be converted to <code>char[]</code> when it is
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * set to the callback. Internal processing for this string array
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * uses <code>|</code> as separator. Hence <code>|</code> should not
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * be used in these default values. Currently only
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>NameCallback</code> and <code>PasswordCallback</code> are
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * supported.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param envMap contains the environment key/value pairs. Key is a String
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * object indicating the property name, value is a Set of String
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * values for the property. Currenty this parameter only applicable
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * when the indexTye is <code>AuthContext.IndexType.RESOURCE</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception AuthLoginException if an error occurred during login.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void login(IndexType indexType, String indexName,
42a452a9f1193f232b34e7c22706b8fe44207d3dPhill Cunnington login(indexType, indexName, params, envMap, null, null);
42a452a9f1193f232b34e7c22706b8fe44207d3dPhill Cunnington login(indexType, indexName, params, envMap, null, request, response);
42a452a9f1193f232b34e7c22706b8fe44207d3dPhill Cunnington login(indexType, indexName, params, envMap, localeStr, request, response);
42a452a9f1193f232b34e7c22706b8fe44207d3dPhill Cunnington login(indexType, indexName, params, envMap, locale, null, null);
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott authURL = sessionCache.getSession(new SessionID(ssoTokenID)).getSessionServiceURL();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authServiceURL = getAuthServiceURL(authURL.getProtocol(),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authURL.getHost(), Integer.toString(authURL.getPort()),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authServiceURL = getAuthServiceURL( server_proto,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authDebug.message("AuthContext.login : runLogin against "
42a452a9f1193f232b34e7c22706b8fe44207d3dPhill Cunnington runLogin(indexType, indexName, params, envMap, locale,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authDebug.error("Failed to login to " + authServiceURL);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authDebug.error("Failed to login to " + authServiceURL
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // failover when authURL is not specified
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new AuthLoginException(amAuthContext, "loginError",
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authDebug.message("Org Name : " + organizationName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authDebug.message("ssoTokenID: " + ssoTokenID);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authDebug.message("serviceURLs: " + serviceURLs);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authDebug.error("Failed to login in failover with " +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new AuthLoginException(amAuthContext, "loginError",null);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (!((indexType == IndexType.MODULE_INSTANCE) &&
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster acLocal = com.sun.identity.authentication.service.AuthUtils.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster acLocal = com.sun.identity.authentication.service.AuthUtils.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster getAuthContext(organizationName, ssoTokenID, false,
a393c458f24ae38c8259dea2245aa436abe248f9Phill Cunnington LoginState loginState = acLocal.getLoginState();
a393c458f24ae38c8259dea2245aa436abe248f9Phill Cunnington * Set both the HttpRequest and HttpResponse on the login state so they are accessible by the Auth
a393c458f24ae38c8259dea2245aa436abe248f9Phill Cunnington Hashtable hashtable = AuthClientUtils.parseRequestParameters(request);
a393c458f24ae38c8259dea2245aa436abe248f9Phill Cunnington loginState.setHttpServletResponse(response);
42a452a9f1193f232b34e7c22706b8fe44207d3dPhill Cunnington acLocal.login(indexType, indexName, envMap, locale);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (acLocal.getStatus().equals(Status.SUCCESS)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Check if 7.0 RR stype protocol needs to be used
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // This will setup NewAuthContext and authHandles
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Run Login
42a452a9f1193f232b34e7c22706b8fe44207d3dPhill Cunnington runRemoteLogin(indexType, indexName, params, envMap, locale,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // reset the retry count
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authDebug.message("useNewStyleRemoteAuthentication : "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authDebug.message("useOldStyleRemoteAuthentication : "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authDebug.message("receivedDocument : " + receivedDocument);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authDebug.message("loginException : " + loginException);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // If "Login" fails and we have not set 6.3, 7.0 RR style protocol
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // the server could be either 6.3 or 7.0 RR. Hence try "NewAuthContext"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // and then "Login"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster (getAuthenticationHandle(receivedDocument)).equals("null")) &&
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authDebug.message("AuthContext: trying 6.3 style remote " +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "AuthN and setting the flag to use 6.3 style");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Server could be either 6.3 or 7.0 RR, try old style
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Construct the Request XML with New AuthContext parameters
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Re-try login process with AuthIdentifier
42a452a9f1193f232b34e7c22706b8fe44207d3dPhill Cunnington runRemoteLogin(indexType, indexName, params,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // reset the retry count
42a452a9f1193f232b34e7c22706b8fe44207d3dPhill Cunnington private void runRemoteLogin(IndexType indexType, String indexName, String[] params, Map envMap,
f1e82b18ba6b6dd5dfc2569f2a83040b923233caPeter Major String locale, HttpServletRequest req, HttpServletResponse res) throws AuthLoginException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // remote auth
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster StringBuilder request = new StringBuilder(100);
f1e82b18ba6b6dd5dfc2569f2a83040b923233caPeter Major if (ssoTokenID != null && "0".equals(authHandle)) {
f1e82b18ba6b6dd5dfc2569f2a83040b923233caPeter Major authDebug.message("AuthContext.runRemoteLogin: Found SSOTokenID " + ssoTokenID);
f1e82b18ba6b6dd5dfc2569f2a83040b923233caPeter Major request.append(MessageFormat.format(AuthXMLTags.XML_REQUEST_PREFIX, authHandle));
f1e82b18ba6b6dd5dfc2569f2a83040b923233caPeter Major request.append(appSSOToken.getTokenID().toString());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster .append(XMLUtils.escapeSpecialCharacters(organizationName))
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster .append(XMLUtils.escapeSpecialCharacters(hostName))
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster .append(XMLUtils.escapeSpecialCharacters(locale))
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster request.append(AuthXMLTags.INDEX_TYPE_PAIR_BEGIN)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster request.append(AuthXMLTags.INDEX_TYPE_USER_ATTR);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster request.append(AuthXMLTags.INDEX_TYPE_ROLE_ATTR);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster request.append(AuthXMLTags.INDEX_TYPE_SVC_ATTR);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else if (indexType == IndexType.MODULE_INSTANCE) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster request.append(AuthXMLTags.INDEX_TYPE_MODULE_ATTR);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster request.append(AuthXMLTags.INDEX_TYPE_LEVEL_ATTR);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else if (indexType == IndexType.COMPOSITE_ADVICE) {
f1e82b18ba6b6dd5dfc2569f2a83040b923233caPeter Major request.append(AuthXMLTags.INDEX_TYPE_COMPOSITE_ADVICE_ATTR);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster request.append(AuthXMLTags.INDEX_TYPE_RESOURCE);
f1e82b18ba6b6dd5dfc2569f2a83040b923233caPeter Major .append(XMLUtils.escapeSpecialCharacters(indexName))
f1e82b18ba6b6dd5dfc2569f2a83040b923233caPeter Major request.append(XMLUtils.escapeSpecialCharacters(locale));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster StringBuilder paramString = new StringBuilder();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (i != 0 ) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster paramString.append(ISAuthConstants.PIPE_SEPARATOR);
f1e82b18ba6b6dd5dfc2569f2a83040b923233caPeter Major paramString.append(XMLUtils.escapeSpecialCharacters(params[i]));
f1e82b18ba6b6dd5dfc2569f2a83040b923233caPeter Major for (Map.Entry<String, Set<String>> entry : ((Map<String, Set<String>>) envMap).entrySet()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // convert Map to XMLString as follows:
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // <EnvValue>keyname|value1|value2|...</EnvValue>
f1e82b18ba6b6dd5dfc2569f2a83040b923233caPeter Major .append(AuthClientUtils.escapePipe(XMLUtils.escapeSpecialCharacters(keyName)));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster envString.append(ISAuthConstants.PIPE_SEPARATOR)
f1e82b18ba6b6dd5dfc2569f2a83040b923233caPeter Major .append(AuthClientUtils.escapePipe(XMLUtils.escapeSpecialCharacters(value)));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster request.append(AuthXMLTags.REMOTE_REQUEST_RESPONSE_START)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster .append(AuthXMLTags.HTTP_SERVLET_REQUEST_START);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster encObj = AuthXMLUtils.serializeToString(new RemoteHttpServletRequest(req));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authDebug.error("AuthXMLUtils::runRemoteLogin Unable to serailize http request", ioe);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authDebug.message("req=" + new RemoteHttpServletRequest(req).toString());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster request.append(AuthXMLTags.HTTP_SERVLET_REQUEST_END);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster request.append(AuthXMLTags.HTTP_SERVLET_RESPONSE_START);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster encObj = AuthXMLUtils.serializeToString(new RemoteHttpServletResponse(res));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authDebug.error("AuthXMLUtils::runRemoteLogin Unable to serailize http response", ioe);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster request.append(AuthXMLTags.HTTP_SERVLET_RESPONSE_END)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster .append(AuthXMLTags.REMOTE_REQUEST_RESPONSE_END);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authDebug.message("Not including req/res " + includeReqRes);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster request.append(AuthXMLTags.XML_REQUEST_SUFFIX);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // process the request, which will check for exceptions
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // and also get the authentication handle ID
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Check set the login status
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // if the app token was refreshed, retry remote login
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster loginException.getErrorCode().equals(AMAuthErrorCode.REMOTE_AUTH_INVALID_SSO_TOKEN) &&
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authDebug.message("Run remote login failed due to expired app token, retying");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // reset as we are starting again
42a452a9f1193f232b34e7c22706b8fe44207d3dPhill Cunnington runRemoteLogin(indexType, indexName, params, envMap, locale, req, res);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Login has failed
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private void runRemoteOldAuthContext() throws AuthLoginException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster StringBuilder request = new StringBuilder(100);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster AuthXMLTags.XML_REQUEST_PREFIX, (Object[])objs))
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster .append(XMLUtils.escapeSpecialCharacters(organizationName))
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // process the request, which will check for exceptions
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // and also get the authentication handle ID
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster receivedDocument = processRequest(request.toString());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Check set the login status
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Login has failed
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the set of Principals or Subject the user has been
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * authenticated as.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This should be invoked only after successful authentication.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>Subject</code> for the authenticated User.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * If the authentication fails or the authentication is in process,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * this will return <code>null</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (!acLocal.getStatus().equals(Status.SUCCESS)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns a <code>Map</code> object that
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * that contains cookies set by AM server
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return a <code>Map</code> of cookie name and
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>Cookie</code> object.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns <code>true</code> if the login process requires more
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * information from the user to complete the authentication.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * NOTE: This method has to be called as a condition of a
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>while</code> loop in order to complete the authentication process
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * and get the correct <code>Status</code> after submitting the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * requirements.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>true</code> if more credentials are required from the user.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((!loginStatus.equals(Status.IN_PROGRESS)) ||
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ((getCallbacks(receivedDocument, false)) == null)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return (false);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return (true);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns <code>true</code> if the login process requires more information
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * from the user to complete the authentication.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * NOTE: This method has to be called as a condition of a <ode>while</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * loop in order to complete the authentication process and get the correct
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>Status</code> after submitting the requirements.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param noFilter flag indicates whether to filter
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>PagePropertiesCallback</code> or not. Value
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>true</code> will not filter
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>PagePropertiesCallback</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>true</code> if more credentials are required from the user.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public boolean hasMoreRequirements(boolean noFilter) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return (acLocal.hasMoreRequirements(noFilter));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((!loginStatus.equals(Status.IN_PROGRESS)) ||
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ((getCallbacks(receivedDocument, noFilter)) == null)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return (false);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return (true);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns an array of <code>Callback</code> objects that must be populated
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * by the user and returned back. These objects are requested by the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * authentication plug-ins, and these are usually displayed to the user.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The user then provides the requested information for it to be
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * authenticated.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return an array of <code>Callback</code> objects requesting credentials
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (!acLocal.getStatus().equals(Status.IN_PROGRESS)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return (getCallbacks(receivedDocument, false));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns an array of <code>Callback</code> objects that
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * must be populated by the user and returned back.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * These objects are requested by the authentication plug-ins,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * and these are usually displayed to the user. The user then provides
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the requested information for it to be authenticated.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param noFilter boolean flag indicating whether to filter
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>PagePropertiesCallback</code> or not. Value <code>true</code> will
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * not filter <code>PagePropertiesCallback</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return an array of <code>Callback</code> objects requesting credentials
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public Callback[] getRequirements(boolean noFilter) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (!acLocal.getStatus().equals(Status.IN_PROGRESS)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return (getCallbacks(receivedDocument, noFilter));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Fetches the remote request from the context
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return The Http Servlet Request
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Fetches the remote response from the context
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return The Http Servlet Response
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public HttpServletResponse getRemoteResponse() {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Submits the populated <code>Callback</code> objects to the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * authentication plug-in modules. Called after <code>getRequirements</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * method and obtaining user's response to these requests.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param info Array of <code>Callback</code> objects.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void submitRequirements(Callback[] info) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void submitRequirements(Callback[] info, HttpServletRequest request,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authDebug.message("submitRequirements with Callbacks : " + info);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Check if we are still in login session
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (!acLocal.getStatus().equals(Status.IN_PROGRESS)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (acLocal.getStatus().equals(Status.SUCCESS)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Check if we are still in login session
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Construct the XML
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authHandles[0] = getAuthenticationHandle(receivedDocument);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster AuthXMLTags.XML_REQUEST_PREFIX,(Object[])authHandles));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster xml.append(appSSOToken.getTokenID().toString()).
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster .append(AuthXMLUtils.getXMLForCallbacks(info));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((localeStr != null) && (localeStr.length() > 0)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster .append(XMLUtils.escapeSpecialCharacters(localeStr))
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // serialized request and response objects
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster xml.append(AuthXMLTags.REMOTE_REQUEST_RESPONSE_START)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster .append(AuthXMLTags.HTTP_SERVLET_REQUEST_START);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster encObj = AuthXMLUtils.serializeToString(new RemoteHttpServletRequest(request));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authDebug.error("AuthXMLUtils::runRemoteLogin Unable to serailize http request", ioe);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster xml.append(AuthXMLTags.HTTP_SERVLET_REQUEST_END);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster xml.append(AuthXMLTags.HTTP_SERVLET_RESPONSE_START);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster encObj = AuthXMLUtils.serializeToString(new RemoteHttpServletResponse(response));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authDebug.error("AuthXMLUtils::runRemoteLogin Unable to serailize http response", ioe);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster xml.append(AuthXMLTags.HTTP_SERVLET_RESPONSE_END)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster .append(AuthXMLTags.REMOTE_REQUEST_RESPONSE_END);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Send the request to be processes
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster receivedDocument = processRequest(xml.toString());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Check set the login status
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Login has failed
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Logs out the user and also invalidates the single sign on token
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * associated with this <code>AuthContext</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws AuthLoginException if an error occurred during logout.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void logout() throws AuthLoginException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Construct the XML
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authHandles[0] = getAuthenticationHandle(receivedDocument);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster xml.append(MessageFormat.format(AuthXMLTags.XML_REQUEST_PREFIX,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster xml.append(appSSOToken.getTokenID().toString()).
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Send the request to be processes
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster receivedDocument = processRequest(xml.toString());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Check set the login status
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Login has failed
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Logs out the user and also invalidates the single sign on token
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * associated with this <code>AuthContext</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This method causes the logout to happen on the server and the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * correct SPI hooks to be called.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws AuthLoginException if an error occurred during logout.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott authURL = sessionCache.getSession(new SessionID(ssoTokenID)).getSessionServiceURL();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authServiceURL = getAuthServiceURL(authURL.getProtocol(),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authURL.getHost(), Integer.toString(authURL.getPort()),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Construct the XML
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authHandles[0] = ssoToken.getTokenID().toString();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster xml.append(MessageFormat.format(AuthXMLTags.XML_REQUEST_PREFIX,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster xml.append(appSSOToken.getTokenID().toString()).
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Send the request to be processes
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster receivedDocument = processRequest(xml.toString());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Check set the login status
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Login has failed
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns login exception, if any, during the authentication process.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Typically set when the login fails.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return login exception.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public AuthLoginException getLoginException() {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the Single-Sign-On (SSO) Token for the authenticated
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * user. If the user has not successfully authenticated
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>Exception</code> will be thrown.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Single sign token can be used as the authenticated token.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return Single-Sign-On token for the valid user after successful
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * authentication.
5dc171fcee4f9e3e144b120a10a51dadbde01f69Phill Cunnington * @throws L10NMessageImpl if the user is not authenticated or an error is
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * encountered in retrieving the user's single sign on token.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
5dc171fcee4f9e3e144b120a10a51dadbde01f69Phill Cunnington public SSOToken getSSOToken() throws L10NMessageImpl {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (!acLocal.getStatus().equals(Status.SUCCESS)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Get the loginStatus node
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Node loginStatusNode = XMLUtils.getRootNode(receivedDocument,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new L10NMessageImpl(amAuthContext, "noStatusNode", null);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String ssoTokenIDTmp = XMLUtils.getNodeAttributeValue(loginStatusNode,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return new com.iplanet.sso.providers.dpro.SSOProviderImpl().
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the current status of the authentication process as
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>AuthContext.Status</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>Status</code> of the authentication process.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the current Auth Identifier of the authentication
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * process as String Session ID.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return Auth Identifier of the authentication process.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the Successful Login URL for the authenticated user.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return the Successful Login URL for the authenticated user.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws Exception if it fails to get url for auth success
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public String getSuccessURL() throws Exception {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (!acLocal.getStatus().equals(Status.SUCCESS)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster L10NMessageImpl(amAuthContext, "statusNotSuccess", null);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Get the loginStatus node
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster L10NMessageImpl(amAuthContext, "statusNotSuccess", null);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Node loginStatusNode = XMLUtils.getRootNode(receivedDocument,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new L10NMessageImpl(amAuthContext, "noStatusNode", null);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return (XMLUtils.getNodeAttributeValue(loginStatusNode,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the Failure Login URL for the authenticating user.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return the Failure Login URL for the authenticating user
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws Exception if it fails to get url for auth failure
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public String getFailureURL() throws Exception {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Get the loginStatus node
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Node loginStatusNode = XMLUtils.getRootNode(receivedDocument,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new L10NMessageImpl(amAuthContext, "noStatusNode", null);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return (XMLUtils.getNodeAttributeValue(loginStatusNode,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Resets this instance of <code>AuthContext</code> object, so that a new
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * login process can be initiated. A new authentication process can started
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * using any one of the <code>login</code> methods.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster //organizationName = null;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster //receivedDocument = null;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster //loginException = null;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the the organization name that was set during the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>AuthContext</code> constructor.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return Organization name in the <code>AuthContext</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns authentication module/s instances (or plugins) configured
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * for a organization, or sub-organization name that was set during the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>AuthContext</code> constructor.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return Set of Module instance names.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authServiceURL = getAuthServiceURL(server_proto,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster sendQueryInformation(AuthXMLTags.MODULE_INSTANCE);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster //Receive data
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Node queryResultNode = XMLUtils.getRootNode(receivedDocument,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Iteratate through moduleInstanceNames
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster NodeList childNodes = queryResultNode.getChildNodes();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster for (int i = 0; i < childNodes.getLength(); i++) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String moduleName = XMLUtils.getValueOfValueNode(childNode);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Terminates an ongoing <code>login</code> call that has not yet completed.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception AuthLoginException if an error occurred during abort.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void abort() throws AuthLoginException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Construct the XML
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authHandles[0] = getAuthenticationHandle(receivedDocument);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster xml.append(MessageFormat.format(AuthXMLTags.XML_REQUEST_PREFIX,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster xml.append(appSSOToken.getTokenID().toString()).
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Send the request to be processes
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster receivedDocument = processRequest(xml.toString());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Check set the login status
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Login has failed
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Sets the password for the certificate database.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * It is required to call only once to initialize certificate database if
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the password is not set in the password file (specified as
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the value for <code>com.iplanet.am.admin.cli.certdb.passfile</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * in <code>AMConfig.properties</code>). If both are set, this method will
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * overwrite the value in certificate password file.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param password Password for the certificate database.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public static void setCertDBPassword(String password) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Class pcbClass = (Class) Class.forName(JSSE_PASSWORD_CALLBACK);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Object passwdCallback = (Object) pcbClass.newInstance();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster pcbClass.getMethod("setPassword", new Class[] { String.class });
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Class initializer = Class.forName(JSS_PASSWORD_UTIL);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Constructor initializerConstructor = initializer.getConstructor(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster initializerConstructor.newInstance(new Object[] { password });
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authDebug.message("Error in setCertDBPassword : " + e.getMessage());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the error template.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return error template.
5e14105f7bc7cb0b2d27fc1e2d9094c47fb5d0faPeter Major //something went terribly wrong, let's return with internal error template
5e14105f7bc7cb0b2d27fc1e2d9094c47fb5d0faPeter Major return AuthClientUtils.getErrorTemplate(AMAuthErrorCode.AUTH_ERROR);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Node exceptionNode = XMLUtils.getRootNode(receivedDocument,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster errTemplate = XMLUtils.getNodeAttributeValue(exceptionNode,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the error message.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return error message.
5e14105f7bc7cb0b2d27fc1e2d9094c47fb5d0faPeter Major //something went terribly wrong, let's return with internal error message
5e14105f7bc7cb0b2d27fc1e2d9094c47fb5d0faPeter Major return AuthClientUtils.getErrorMessage(AMAuthErrorCode.AUTH_ERROR);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Node exceptionNode = XMLUtils.getRootNode(receivedDocument,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster errMessage = XMLUtils.getNodeAttributeValue(exceptionNode,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns error code.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return error code with white space trimmed
5e14105f7bc7cb0b2d27fc1e2d9094c47fb5d0faPeter Major //something went terribly wrong
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Node exceptionNode = XMLUtils.getRootNode(receivedDocument,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster errCode = XMLUtils.getNodeAttributeValue(exceptionNode,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Sets the client's hostname or IP address.This could be used
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * by the policy component to restrict access to resources.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This method is ineffective if the "Remote Auth Security" option under
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the global configuration of Core Authentication Service is not enabled.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This method must be called before calling <code>login</code> method.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * If it is called after calling <code>login</code> then
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * it is ineffective.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param hostname hostname or ip address
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void setClientHostName(String hostname) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the client's hostname or IP address as set by
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * setClientHostName
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return hostname/IP address
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Sets locale based on user locale preferemce.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param loc locale preference of user
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns locale preference set in AuthConext
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return - user prefered locale.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // if the app token is invalid, refresh the token
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (error != null && error.equals(AMAuthErrorCode.REMOTE_AUTH_INVALID_SSO_TOKEN)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster exception = new AuthLoginException("amAuth", error, null);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster XMLUtils.getRootNode(receivedDocument, AuthXMLTags.REMOTE_REQUEST_RESPONSE));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster remoteResponse = AuthXMLUtils.getRemoteResponse(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster XMLUtils.getRootNode(receivedDocument, AuthXMLTags.REMOTE_REQUEST_RESPONSE));
922844de5481544a96a550898bfe5ca1b519812cPeter Major //since there was no error, we should reset the loginException, to handle the case when the first auth
922844de5481544a96a550898bfe5ca1b519812cPeter Major //server was not available.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Get the status attribute
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String status = XMLUtils.getNodeAttributeValue(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (status.equals(Status.SUCCESS.toString())) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else if (status.equals(Status.FAILED.toString())) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else if (status.equals(Status.COMPLETED.toString())) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else if (status.equals(Status.IN_PROGRESS.toString())) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else if (status.equals(Status.RESET.toString())) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster XMLUtils.getRootNode(receivedDocument, AuthXMLTags.REMOTE_REQUEST_RESPONSE));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster remoteResponse = AuthXMLUtils.getRemoteResponse(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster XMLUtils.getRootNode(receivedDocument, AuthXMLTags.REMOTE_REQUEST_RESPONSE));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authDebug.message("LoginStatus : " + loginStatus);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster protected void sendQueryInformation(String reqInfo) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Construct the XML
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster xml.append(MessageFormat.format(AuthXMLTags.XML_REQUEST_PREFIX,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster xml.append(appSSOToken.getTokenID().toString()).
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster .append(XMLUtils.escapeSpecialCharacters(organizationName))
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Send the request to be processes
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster receivedDocument = processRequest(xml.toString());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Check set the login status
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Login has failed
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String urlStr = url.getProtocol() + "://" + url.getHost() + ":"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authDebug.message("in setLocalFlag(), url : " + urlStr);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authDebug.message("AuthContext.localAuthServiceID : " +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authDebug.error("AuthContext::setLocalFlag:: " + e);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster protected Document processRequest(String xmlRequest)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster RequestSet set = new RequestSet(AuthXMLTags.AUTH_SERVICE);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (url.getProtocol().equals("https") && (nickName != null)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String protHandler = protHandlerPkg + ".https.Handler";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Class.forName(protHandler).getConstructor(paramtype);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster (URLStreamHandler)construct.newInstance(param);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster url = new URL(url.getProtocol(), url.getHost(), url.getPort(),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authDebug.message("Service URL : " + url.toString());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Vector responses = PLLClient.send(url, set, cookieTable);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((responses.isEmpty()) || (responses.size() != 1)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new L10NMessageImpl(amAuthContext, "responseError", null);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Response res = (Response) responses.elementAt(0);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster new ByteArrayInputStream(responseStr.getBytes("UTF-8")));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authDebug.message("error in getting service url", e);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new AuthLoginException(amAuthContext, "xmlProcessError",
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster protected static void checkForException(Document document)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw (new AuthLoginException(XMLUtils.getNodeAttributeValue(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster protected String getAuthenticationHandle(Document document)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new AuthLoginException(amAuthContext, "responseError", null);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String authID = XMLUtils.getNodeAttributeValue(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return (AuthXMLUtils.getCallbacks(XMLUtils.getRootNode(document,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster protected static Subject getSubject(Document document) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Node loginStatusNode = XMLUtils.getRootNode(document,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Node subjectNode = XMLUtils.getChildNode(loginStatusNode,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String subject = XMLUtils.getValueOfValueNode(subjectNode);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Subject sSubject = AuthXMLUtils.getDeSerializedSubject(subject);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authDebug.message("get Deserialized subject error : " , e);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster protected static String getXMLforSubject(Subject subject) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return ("");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster StringBuilder request = new StringBuilder(100);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String serializeSubject = AuthXMLUtils.getSerializedSubject(subject);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the account lockout message. This can be either a dynamic
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * message indicating the number of tries left or the the account
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * deactivated message.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return account lockout message.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Account Lockout Warning Check by scanning the error
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // message in the exception thrown by the server
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster (lockoutMsg.indexOf("Account lockout") == -1)){
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns <code>true</code> if account is lock out.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>true</code> if account is lock out.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean isLockedOut = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The class <code>Status</code> defines the possible
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * authentication states during the login process.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.all.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The <code>NOT_STARTED</code> status indicates that the login process
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * has not yet started. Basically, it means that the method
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>login</code> has not been called.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public static final Status NOT_STARTED = new Status("not_started");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The <code>IN_PROGRESS</code> status indicates that the login process
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * is in progress. Basically, it means that the <code>login</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * method has been called and that this object is waiting for the user
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * to send authentication information.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public static final Status IN_PROGRESS = new Status("in_progress");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The <code>SUCCESS</code> indicates that the login process has
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * succeeded.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public static final Status SUCCESS = new Status("success");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The <code>FAILED</code> indicates that the login process has failed.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public static final Status FAILED = new Status("failed");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The <code>COMPLETED</code> indicates that the user has been
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * successfully logged out.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public static final Status COMPLETED = new Status("completed");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The <code>RESET</code> indicates that the login process has been
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * reset or re-initialized.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public static final Status RESET = new Status("reset");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The <code>ORG_MISMATCH</code> indicates that the framework
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>org</code> and the <code>org</code> required by the user do
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * not match.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public static final Status ORG_MISMATCH = new Status("org_mismatch");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // do nothing
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the string representation of the authentication status.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return String representation of authentication status.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Checks if two authentication status objects are equal.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param authStatus Reference object with which to compare.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>true</code> if the objects are same.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return (false);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The class <code>IndexType</code> defines the possible kinds of "objects"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * or "resources" for which an authentication can be performed.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.all.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The <code>USER</code> index type indicates that the index name given
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * corresponds to a user.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public static final IndexType USER = new IndexType("user");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The <code>ROLE</code> index type indicates that the index name given
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * corresponds to a role.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public static final IndexType ROLE = new IndexType("role");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The <code>SERVICE</code> index type indicates that the index name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * given corresponds to a service (or application).
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public static final IndexType SERVICE = new IndexType("service");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The <code>LEVEL</code> index type indicates that the index name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * given corresponds to a given authentication level.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public static final IndexType LEVEL = new IndexType("level");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The <code>MODULE_INSTANCE</code> index type indicates that the index
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * name given corresponds to one of the authentication modules.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public static final IndexType MODULE_INSTANCE =
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The <code>RESOURCE</code> index type indicates that the index
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * name given corresponds to a given policy protected resource URL.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The <code>COMPOSITE_ADVICE</code> index type indicates that the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * index name given corresponds to string in the form of XML
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * representing different Policy Authentication conditions, example
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>AuthSchemeCondition</code>, <code>AuthLevelCondition</code>,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public static final IndexType COMPOSITE_ADVICE =
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // do nothing
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the string representation of the index type.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return String representation of index type.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Checks if two index type objects are equal.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param indexType Reference object with which to compare.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>true</code> if the objects are same.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return (false);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster handle = getAuthenticationHandle(receivedDocument);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // do nothing
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authservice = WebtopNaming.getServiceURL(AuthXMLTags.AUTH_SERVICE,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authDebug.error("Failed to obtain auth service url from server: " +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster com.iplanet.dpro.session.service.InternalSession oldSess
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authDebug.error("AuthContext.onSuccessLocal: ",
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott InjectorHolder.getInstance(SessionService.class).destroyInternalSession(oldSess.getID());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the application sso token. Can perform a check to ensure that
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the app token is still valid (requires a session refresh call to OpenAM)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param refresh true if we should check with OpenAM if the app token is valid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return a valid application's sso token.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private SSOToken getAppSSOToken(boolean refresh) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster appToken = (SSOToken) AccessController.doPrivileged(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authDebug.message("AuthContext::getAppSSOToken: " +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "unable to get app ssotoken " + aspe.getMessage());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // ensure the token is valid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster SSOTokenManager ssoTokenManager = SSOTokenManager.getInstance();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authDebug.message("AuthContext.getAppSSOToken(): " +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "App SSOToken is invalid, retrying");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster appToken = (SSOToken) AccessController.doPrivileged(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authDebug.message("AuthContext::getAppSSOToken: " +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "unable to get app ssotoken " + aspe.getMessage());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authDebug.message("AuthContext.getAppSSOToken(): " +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "unable to refresh app token: " + ssoe.getL10NMessage());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster appToken = (SSOToken) AccessController.doPrivileged(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authDebug.error("AuthContext::getAppSSOToken: " +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "unable to get app ssotoken " + aspe.getMessage());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authDebug.message("Obtained App Token= " + appToken.getTokenID().toString());